«
»

[Security] W32.Induc Targets and Attacks Software Development Phase

W32.Induc is a worm making rounds these days, the worm is known to attack the software development phase by putting its malicious code in to the Delphi library files thus adding itself to the compilation process. Thereafter, any file compiled with the infected Delphi compiler will also be infected.

The worm copies the malicious code into the SysConst.pas file present in the Lib folder.The worm also renames the existing SysConst.dcu file to SysConst.back. A new SysConst.dcu is then created by compiling the malicious SysConst.pas file. The worm then deletes the original SysConst.pas file.

In order to detect and clean the worm, follow the steps mentioned below.

  • Run a full system scan to detect and quarantine the W32/Induc (W32.Induc) infected files.
  • Delete the SysConst.dcu file from the \Lib where the Delphi compiler is installed.
  • Rename the SysConst.bak file present in the \Lib to Sysconst.dcu

BitDefender and Kaspersky refer to the virus as Win32.Induc.A. This virus does not have a malicious payload. It just spreads through the compiled executables.

Many customers feel they have got a false since the file they compile on their own is now detected . The reason being a virus, which was compiled with the binary itself. Also this threat has been going on for almost an year unnoticed so the customers will submit the files which are not changed from over an year and are homegrown or on CD or from reliable source thinking it is a false positive.

On a victim’s machine this virus searches for the presence of a specific version (4.0, 5.0, 6.0 and 7.0) of the Delphi compiler. The virus gathers this information using the registry entry.

Adapted from McAfee

You can also follow me on Twitter at http://twitter.com/vaibhav1981

Do stay tuned to Technofriends for more, one of the best ways of doing so is by subscribing to our feeds. You can subscribe to Technofriends feed by clicking here.

Related posts:

  1. Detect A Conficker Infection with Conficker Eye Chart
  2. [Download] Microsoft Security Essentials Is A Free AntiVirus Software From Microsoft
  3. Microsoft’s Free Security Software to be Released Soon
  4. [Security] Fake Facebook Password Reset Email Can Compromise Your Security
  5. [Security] Troj/FakeAv-AAL Steals Your FTP Credentials

This entry was posted on Monday, September 14th, 2009 at 9:06 am and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply